LAS VEGAS, NV — May 23, 2026 — Nsasoft US LLC today shipped NSAuditor AI Enterprise Edition v0.11.1 to npm — a PCI DSS v4.0.1 authoring deepening cycle on the framework introduced in v0.11.0. The release pairs with nsauditor-ai@0.1.73 (Community Edition) and nsauditor-ai-agent-skill@0.1.40 in the company’s thirtieth consecutive trio-publish.

This is a pure depth release on the existing PCI DSS v4.0.1 surface. Plugin count remains unchanged at 24. All four framework coverage matrices — SOC 2 (10/4/33), HIPAA (7/3/45), NIST CSF 2.0 (13/10/83), and PCI DSS v4.0.1 (20 covered / 8 partial / 39 OOS at MVP-67 density) — are unchanged. What changed is what appears on every PCI DSS report.

Per-control CDE-scope badge

Every PCI DSS Failing, Passing, and Partial section now carries a per-control Cardholder Data Environment scope badge. Three categories per the cdeScope schema field: Always-in-scope, CDE-only, and CDE-conditional. Findings on CDE-conditional controls only land in scope after the operator’s CDE Data Flow Diagram attestation per PCI DSS Req 1.2.4 and Req 12.5.1. The badge palette matches the renderer’s existing severity palette; cross-framework leak defense ensures the badges render only on PCI DSS HTML, never on SOC 2, HIPAA, or NIST CSF reports.

Req 12.8.5 TPSP shared-responsibility matrix renderer

The PCI DSS report now aggregates per-control cloudProviderAttestation into a Req 12.8.5–shaped Third-Party Service Provider shared-responsibility matrix. Twenty-eight in-scope sub-requirement rows by three cloud-provider columns (AWS, Azure, GCP), with the currently-named PCI DSS Service Provider Attestation of Compliance for each cell and an annual-revisit currency disclaimer. The matrix footer cross-references the Req 12.8.5 Defined-only invariant per PCI DSS v4.0.1 Appendix E and recommends a GRC pairing for the residual policy and governance sub-requirements that infrastructure scanning cannot evidence.

QSA enforcement-priority ranked view

Mirroring the HIPAA HHS-OCR enforcement-priority pattern, the new QSA enforcement-priority view classifies PCI DSS findings into four card-brand Attestation of Compliance enforcement categories:

• Cat 1 — externally-facing CDE weak authentication (Req 1 + Req 8). Highest enforcement priority across Visa CISP, Mastercard SDP, American Express DSOP, and Discover DISC.
• Cat 2 — unpatched CDE infrastructure (Req 6.3.3 + 6.4.1). Reuses the existing OCR-priority unpatched-infrastructure regex matcher.
• Cat 3 — pen-test substrate (Req 11.3.1, 11.3.2, 11.4.1, 11.4.2, 11.4.3).
• Cat 4 — critical-control-failure substrate (Req 10.2.1, 10.4.1, 10.5.1, 10.6.1, 10.7.x).

Operators can triage Cardholder Data Environment findings by what card-brand AOC reviewers actually escalate on, rather than by raw severity alone.

Customized Approach Objective text on all 26 customized-eligible sub-requirements

PCI DSS v4.0 introduced the Customized Approach as a peer of the Defined Approach. Each customized-eligible sub-requirement has a published Customized Approach Objective in PCI DSS v4.0.1 Appendix D — the outcome statement that any alternative control implementation must meet. EE 0.11.1 ships the customizedApproachObjective field populated verbatim from Appendix D on all 26 customized-eligible sub-requirements. The two defined-only entries — Req 4.2.1.1 and Req 8.2.1 — keep customizedApproachObjective: null perpetually per the Appendix E invariant. Sample CAOs:

• 3.5.1 — “Cleartext PAN cannot be read from storage.”
• 8.4.1 — “Administrative access to the CDE cannot be obtained by the use of a single authentication factor.”
• 10.5.1 — “Historical records of activity are available immediately to support incident response and are retained for at least 12 months.”

The renderer surfaces a per-control CAO blockquote when the field is non-null. Cover-page Cardholder Data scope disclaimer has been rewritten from MVP-deferred framing to “populated per Appendix D” with verify-against-PCI-SSC-publication guidance.

Bonus: HIPAA OCR-priority categorizer fidelity uplift

While building the QSA enforcement-priority categorizer, the HIPAA OCR-priority categorizer (introduced in EE 0.9.4) was discovered to be reading the wrong field on the violation object. The corrected categorizer now surfaces findings on Vector 1 (Credential) — multi-factor delete protection not enabled — and on §164.312(c)(2) Ransomware substrate that the prior implementation missed. The fix is defended forward by a new invariant test in the PCI DSS renderer test suite that explicitly verifies the QSA categorizer reads the correct violation field.

CE license rotation: new license --reset subcommand

The Community Edition (nsauditor-ai@0.1.73) ships a new nsauditor-ai license --reset subcommand for atomic dual-channel macOS license-state reset. The command clears both ~/.nsauditor/license-state.json and the macOS Keychain NSAUDITOR_LICENSE_ID entry. Single-surface clearing was a half-fix on macOS because the license loader also reads from Keychain and Keychain wins on read. A --purge flag additionally clears the Keychain license-key entry for full uninstall.

Quad-framework workflow

The quad-framework one-scan workflow remains: nsauditor-ai scan --host aws --plugins all --compliance soc2,hipaa,nist-csf,pci-dss --out evidence/ produces four complete auditor-ready evidence packs from a single scan. Cross-framework citation-leak defense is enforced in all six pair-directions.

Trust posture

Zero data exfiltration remains the architecture: Cardholder Data, electronic Protected Health Information, cloud credentials, and scan data never leave the customer’s infrastructure. Zero Business Associate Agreement required under HIPAA §160.103. Air-gapped deployment supported for federal-contractor, DFARS, CMMC, and payment-processing Cardholder Data Environment isolation threat models.

Install

npm install -g nsauditor-ai@0.1.73 @nsasoft/nsauditor-ai-ee@0.11.1
npm install nsauditor-ai-agent-skill@0.1.40

More: NSAuditor AI Enterprise Edition · PCI DSS v4.0.1 coverage matrix

About Nsasoft US LLC — Nsasoft builds AI-powered network security and data recovery tools. NSAuditor AI is an open-source, zero-data-exfiltration scanner with 51 plugins (27 Community + 24 Enterprise) and air-gapped licensing that runs entirely on your infrastructure.